The right of access under Article 15 of the GDPR is a central component of the rights of data subjects under the GDPR. The question what data is really to be handed over to a person requesting information is of huge practical importance. The Federal Court of Justice of Germany has now ruled on the scope of the right to information (judgment of 15.06.2021 - VI ZR 576/19) that the claim under Art. 15 GDPR must be interpreted very widely.
Right to information according to Art. 15 DSGVO
A fundamental principle of the GDPR is transparency in data processing. In order to comply with this principle, there is a right of access to personal data stored about oneself to the data controller according to Art. 15 GDPR. The data subject can demand that the data controller confirms whether personal data about him or her is being processed. If this is the case, he also has the right to be informed about this data. In addition, he or she can demand to receive a copy of the processed data pursuant to Article 15 (3) of the GDPR.
A policyholder disputed with his insurance company about the scope of his right to information under data protection law. It was argued between the parties what was covered by this. The insurance company subsequently provided information several times, which the policyholder rejected as incomplete.
BGH: Wide interpretation of "personal data".
According to Art. 4 No. 1 of the GDPR, "personal data" means any information relating to an identified or identifiable natural person. In its judgement, the BGH now clarifies that this is not limited to sensitive or private information, but potentially includes all types of information in the form of opinions or assessments.
According to the BGH, the right to information therefore also refers in principle to:
- Exchanged correspondence with the data subject, even if the letters are already known to the data subject. According to recital 63, first sentence, of the GDPR, the right to information serves to ensure that data subjects are aware of the purpose of the processing and the processing itself and can check its legality. According to the Federal Supreme Court, the possible awareness of the data subject that the correspondence was once exchanged is not enough for this.
- Exchanged correspondence with third parties about the data subject.
- Internal (telephone) notes or internal communications if they contain personal data.
- The data subject's "premium account" with an insurance company as well as data from the insurance policy.
At the same time, the BGH stated that no information has to be provided in the case of internal processes in which only a legal assessment is made. Since the assessment of the legal situation itself does not contain any personal data, it is not subject to the right to information. Data on commission payments of an insurer to third parties are also not covered by the right to information.
Significance for the practice
The significance of this ruling goes far beyond the insurance industry. It is therefore advisable to take appropriate precautions in the company at an early stage in order to be able to answer requests for information quickly and completely. Since internal notes can now also be brought to light, strict attention should now be paid to what is documented and in what form this is done.
Also, in the case of a request for information, all documents that contain a reference to a person should not be disclosed prematurely. If the applicant requests a copy pursuant to Article 15 (3) of the GDPR, it must be checked in advance, for example, whether the documents contain personal data of third parties that must be redacted.
Not complying with the request for information at all or only inadequately is not a solution either. This can not only result in an expensive legal dispute, but also lead to a high fine. Depending on the type of data, non-disclosure can also lead to claims for damages by the data subject.